Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      224

    • Content Count

      2,335


  2. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      201

    • Content Count

      3,110


  3. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      174

    • Content Count

      8,945


  4. Kurapica

    Kurapica

    Full Member


    • Points

      129

    • Content Count

      848



Popular Content

Showing content with the highest reputation since 08/11/2019 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 11 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  3. 10 points
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  4. 9 points
  5. 8 points
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  6. 7 points
  7. 7 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  8. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  9. 6 points
    Is this a hidden feature of the protection or does the app just not work?
  10. 6 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  11. 6 points
    here is my production of face shields, already 200 dispatched around my town to local hospital, liberal nurses, etc...
  12. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  13. 5 points
    @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly reported copyright issue for 3 months, then yes, maybe they could be held responsible. But that's not the case.
  14. 5 points
    https://mega.nz/file/xgonHADA#6-giBWOZXfODm7sLFAMzuCH9L2uQz4sL_9NNBlDkLTM - for those who don't want to fill in the stupid questionnaire with company email address, job position and what not. https://mega.nz/file/Nt4xSaoK#jRcuuuM2vS77DM9Y-KuT4UQUKiYIEl0KkKd6Cp9t7hE - code samples that TheHackersNews forgot to include. Book tries to cover very wide area of topics - from Windows to .NET to Linux, IoT, iOS, Android and shellcodes. By doing so, it fails to cover any of the topics in sufficient details. So, it's a "Jack of all trades, master of none".
  15. 5 points
    https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
  16. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  17. 5 points
  18. 5 points
    Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler) - Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start) - Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually)) - Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs) - Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it) - Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes)) - Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.) Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! CrackMe - almost unpacked.exe
  19. 5 points
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  20. 5 points
    https://github.com/GautamGreat/Scylla_Delphi_Plugin
  21. 5 points
    Hello guys, I'm proud to announce the beta release of AMED (an Advanced Machine Decoder). It's extremely fast, lightweight and supports the following architectures : - x86(with all its extensions including xeon instruction set). - aarch32(arm, thumb, neon, ARMv8+). - aarch64(with all its extensions including SVE). I also released the new version (v3) of opcodesDB. https://github.com/MahdiSafsafi/AMED https://github.com/MahdiSafsafi/opcodesDB What do you think guys ?
  22. 5 points
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  23. 5 points
    Posted a write-up about solving the keygenme. https://0xec.blogspot.com/2020/02/finally-solving-weasel-keygenme.html
  24. 5 points
    @Teddy Rogers: from what I was able to gather, this version was still being maintained and improved. Only original repo was taken down, forks are all up. For example, this one is fully up to date: https://github.com/Deteriorator/winrar-keygen.git
  25. 4 points
    Get your tools ready!
  26. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  27. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  28. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  29. 4 points
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  30. 4 points
    Very mature choice for username and password. 😑 Tutorial:
  31. 4 points
    My personal belief is that the entire world around is fake - just a simulation. Our universe does have a creator and that creator may or may not be God. The pain & and struggles we face means nothing in the greater sense. We are nothing more than a programmed object. Even the pain or happiness is nothing but programmed feelings. For example, we design computer games with their own story-lines. In one such game there may be a person who is put under immense pain. There are many movies in which innocents die due to no fault of theirs. However we are not concerned since we know the pain is virtual. It's how we designed the game or movie. In a similar sense, our creator knows the pain we humans/animals face is also virtual. In the real world (which is not this world) this doesn't matter. Even the concept of life and death is fake. Death is simply a way of putting an expiry date. Is is possible to know the real truth? I guess it is. But once humans try to understand the real truth there will be no wars anywhere. There will be no struggle for wealth, fame and power. After all why run after wealth, fame & power in a fake world. If there is something that needs to be done is to try to find out the real truth and escape from this fake world.
  32. 4 points
    Not necessary to unpack to get the key. Key: Steps :
  33. 4 points
    aSqtsozBxQKKn5BC.mp4
  34. 4 points
    I think a lot of public knowledge sharing is going on, especially in the field of malware analysis with many good YouTube channels and blogs covering basics. It just looks like people move to social media (Twitter/Reddit/Discord) to discuss things and traditional forums start to show their age. There is also a very active CTF scene with many techniques and tools being shared (tools on GitHub) and it appears that the cheating scene is also still very active. If you look at more academic sources there are a lot of techniques published (frameworks like miasm/angr/triton or LLVM-based techniques) and there are still many things to be learned, you just have to be willing to put in the time. Obviously nobody is sharing tools for VMProtect/Themida/whatever, in my view simply because there is a lot of money to be made there, but a very similar thing has been going on in the dongle scene for years and that's nothing new.
  35. 4 points
    I blame high speed internet and HD porn ! << just kidding The knowledge is out there, as my friends already said, you just need the motivation to learn and explore, it's time-consuming and the new generation wants everything ready and they want it quickly.
  36. 4 points
  37. 4 points
    Phew! It has been close to 4 years and after a lot of wandering here and there I can proudly announce that I'm now able to calculate a valid serial for any name. Here are a couple. kao GCZ4B-QTD22 0xec FZNUL-THK22 Time taken to generate a key can vary from 2-5 minutes and takes about 12 GB of Physical RAM running on a Nvidia Tesla T4 GPU (2560 CUDA cores). Providing more RAM and CUDA cores may further reduce the time but I ran it on Google Colab and that's what they offer. I plan to do a write-up on my blog later but here it is in short. Initially, I felt the only way to solve the system of equations within a feasible time frame is through a quantum computer using something like Grover's search but the quantum computers available for public use (IBM Q Experience) at this time do not have enough qubits. So this approach had to be discarded. On deeper analysis, I found the system of equations is nothing but a system of Multivariate Quadratic (MQ) Polynomials. There's a field of Crypto related to this - Multivariate cryptography. Such cryptosystems are considered hard even for a Quantum Computer to attack let alone a classical machine. Luckily, there's an ongoing challenge based on the exact same idea - Fukuoka MQ challenge. It turns out small MQ systems particularly which are under-determined (more unknowns than equations) are solvable by classical machines within an accepting time frame and people have posted tools/algorithms to solve them. One of them is libFES . There's also a GPU implementation of FES which I have used here. So that's how it went. Thanks @kao for the challenge. Really learned a lot!!! Its a silver medal for now. Considering such systems of equation are solvable, generating a key within 1 sec could also be possible given the MQ challenge site posts that this cryptosystem is based on a signature scheme (Type -IV). Once we calculate the private key, generating the signature within 1s should be possible.
  38. 4 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  39. 4 points
    The password is: Explanation: To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted. It's enough to run protected software under any debugger and search for strings in memory: As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.
  40. 4 points
    Actually Winrar was a kind of an earl adopter of ECDSA licensing, but they made a mistake in the implementation, much like level 10 armadillo. I still remember when I first came across this release - i thought, man, not another hardcoded-pseude-keygen ... then I saw "SeVeN/FFF". I was like "ahh shit here we go". Problem for Winrar is that their license is tied to archive signatures - if they change it they will break the signature mechanism.
  41. 4 points
  42. 4 points
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  43. 4 points
    There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.) Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on. I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left. Some thoughts of mine on how to approach this going forward: 1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it. 3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.) 4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc.
  44. 4 points
    You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.
  45. 4 points
    I have never used it before, but from the first look - it installs offline, doesn't require any activation or license key, you can create more than one sandbox (which was a limitation in unregistered versions) and "Forced programs" also works. Looks good to me. EDIT 2x: direct download links (REMOVED, as they apparently are time-limited)
  46. 4 points
    If that's the case, that's breakable. For RAR the most efficient attacks are bruteforce, and it's much much faster to bruteforce 6-symbol password than 12... You can try freeware cRARk (http://www.crark.net) or pirated Passware Kit to crack your passwords. Depending on your CPU/GPU, it might take few hours/days but that's certainly doable. EDIT: just to give you an example, my (quite outdated) PC can try 4500 passwords/second using cRARk. For the example, there are 26 capital letters, 26 lowercase letters and 10 numbers. So, 62 different characters. If it's a 4-symbol password, it's 62*62*62*62=14776336 possibilities. To try them all, it would take 3283 seconds, or 54 minutes. If it's a 6-symbol password, it's 62*62*62*62*62*62=56800235584 possibilites. That would be 144 days to try them all. If you know you used a word from dictionary, it's much easier to try all words from dictionary. If you used l33t sp34k, that's also a good information. If you know that you always put first capital letter, that's useful. And so on. Read the manual, make the most efficient rules for bruteforce and just try..
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...